CVE-2026-23523

Name of the Vulnerable Software and Affected Versions Dive versions prior to 0.13.0

Description Dive is an open-source MCP Host Desktop Application that integrates with function-calling LLMs. A crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation, potentially leading to arbitrary local command execution on the victim’s machine. The vulnerability is related to the handling of deeplinks and the installation of MCP server configurations.

Recommendations Update Dive to version 0.13.0 or later.